What are the main application security challenges for organisations and how are they best addressed? In particular for the modern web application, mobile application and client/server application?
For web application attacks on an organisation’s website can be used to steal information, to attack users of the site or damage the company through defacement, data destruction or denial of service attacks. The top two vulnerabilities used in such attacks are cross-site scripting (XSS) and SQL injection, accounting for over 50% of attacks.
For mobile application attacks on an organisation’s mobile application, either thru 3rd party module and libraries develop incorporate inside, or mobile device vulnerability to appstore infected by malware.
For traditional modern client/server and standalone application on various programming language, whether popular as .Net/Java/C or C++ for mission critical application, lack of incorporate static and secure code analysis on IDE and entire project, as well as without go thru complete quality and performance test.
All the above will be traditional and typical problem and issue development and security team encounter and take time to resolve.
World move toward DevOps, the cycle time is radically reduce as per the market and management demand. Lack of the time and appropriate DevOps ready tools and system make it difficult adapting DevOps and yet maintain the old fashion way for perform programming, QA/QC, Performance, Load, Quality and Security test in the faster cycle as per expected.
If you want lead forward productivity gain to cope with DevOps, you need to complete rethink your approach. You need to let go the past practice, old and traditional tool that design and develop for the past practice.
For the DevOps, breaking of large development group into smaller development team and handing of micro site and micro services is the trend to cope with the speed required. So the new set of tool need capable to perform micro services testing. And since application container is the way trend going, so security testing tool must capable to perform container security testing.
For outsourcing partial of the development to 3rd party, you need system capable to control and inspection quality of the code and program 3rd party develop for you, include developed module and libraries (this need software composition analysis SCA technology and vendor application security testing VAST).
To make sure developer create less better quality and consistent code, we enforcing all developer follow secure coding practice by installed plugin into their Integrated Development Environment (IDE) to make sure the secure code right correctly in the first place, to cut rework time happen later which much costly to fix. Secure coding and programming knowledge transfer over computer based training (CBT) is ideal for develop programmer competency at own pace.
Once the software program is ready, we want to scan it under static applications security testing (SAST) way to make sure it is ready to move over production environment. And from here continue with Dynamic application security testing (DAST) and supplement with manual application security testing and penetration testing.
If mobile application involved, then need to test in under mobile application security testing, both dynamic and static application security way as well.
No all the traditional application security testing (AST) can cope with the modern DevOps requirements. Big name for the past does not mean it continue to be right tool continue the DevOps journey.
Feel free to take with E-SPIN for the various DevOps requirement, end to end, or partial requirement, from traditional transition to DevOps or try to get it right for your team for Secure SDLC for the modern changes and challenges.
To know more about Container Security, please click on the link below.